Map hack walk through for Civilization 4 V1.7.4 patch
By Apocalypticx
Updated with AoB scan scripts so you can use ethier code cave script or AoB script.
You will need the following:
Know how to defeat DMA and write scripts within auto assembler
Cheat Engine 5.6 and up
Civilization 4 (V1.7.4patched)
First we start by opening Cheat Engine and creating a custom game on Civ 4, use these settings:
Map: Terra
Size: Duel
Climate: Temperate
Sea Level: Medium
Era: Ancient
Speed: Normal
Put only one AI in the game (so you have yourself and one AI).
Right start by building your first city and station your only unit on that city and fortify it. Save the game and call it 'maphacktutorial' or anything you like.
Press Ctrl+W to enter the worldbuilder tool, select the reveal tile mode. Cover all the tiles around your newly established city, except the cultural coloured tiles.
3=Width 2=Height
Now select an area next to your city of about 3x2 tiles in your head (they have to be dark covered) now uncover that 3x2 area, alt tab to Cheat Engine and search for byte value of 1.Cover the 3x2 area back up and next search for 0.Now uncover the same 3x2 area and search for 1 keep repeating these steps in order until you get down to about 60 addresses. The addresses you found will go in a sequence mine ended up looking like this:
1923ED30 1923ED32 1923ED34 1923ED36 etc
Your addresses will be different as this game uses DMA.
Notice how they go up by 2 each time, this is the memory area we are looking for. This memory area controls the visibility state of the map,2=revealed 1=revealed but dark 0=black
Right cover up the 3x2 area so its dark and exit the worldbuilder. Now add the 60 odd addresses to Cheat Engine.
Select about 10 addresses make sure they go up in 2’s and put a value of 1 into the 10 memory addresses, now skip a turn in the game.
Some of the blackness will reveal what is underneath it. Using the same 10 addresses put a value of 0 back into them.
Select an address out of those 10 and use ‘Find out what accesses this address’, I used an address halfway down the 10 I selected. Now skip a turn in the game.
To get Cheat Engine to display the memory view like this goto view in memory view and select ‘Show module addresses’ or press ctrl+M while in memory view.
It will break in the following places:
Civilization4.exe+64893 - 0f b6 54 4d 00 - movzx edx,byte ptr [ebp+ecx*2+00]
Civilization4.exe+6494A - 0f b6 54 7d 02 - movzx edx,byte ptr [ebp+edi*2+02]
Civilization4.exe+648EC - 0f b6 4c 7d fe - movzx ecx,byte ptr [ebp+edi*2-02]
Civilization4.exe+64835 - 0f b6 44 55 00 - movzx eax,byte ptr [ebp+edx*2+00]
The line we are interested in, is the first line ‘Civilization4.exe+64893 - 0f b6 54 4d 00 - movzx edx,byte ptr [ebp+ecx*2+00]’.
First find a code cave using Cheat Engine or use a code cave finding tool, I used a code cave finding tool and came up with this address:
00C5848C
Now open up the memory view and select ‘Tools’ ‘Auto Assemble’ or better yet open memory view and press Ctrl+A.
Copy paste below into your auto assemble window:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
Civilization4.exe+64893:
jmp 00C5848C //jump to our code cave
00C5848C: //our code cave
movzx edx,byte ptr [ebp+ecx*2+00] //original line of code
mov [ebp+ecx*2+00],02 //the actual cheat.Moves a value of 2 into the map memory
jmp Civilization4.exe+64898 //jump back to the line after the line we jump from
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
//original code below
Civilization4.exe+64893:
movzx edx,byte ptr [ebp+ecx*2+00]
Here is the same script as above using AoB scan:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(mapreveal)
registersymbol(mapreveal)
aobscan(mapaob,0f b6 54 4d 00)
mapaob:
mapreveal:
jmp newmem
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
movzx edx,byte ptr [ebp+ecx*2+00]
mov [ebp+ecx*2+00],02
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
mapreveal:
movzx edx,byte ptr [ebp+ecx*2+00]
//Alt: db 0F B6 54 4D 00
unregistersymbol(mapreveal)
Assign that to your cheat table and call it ‘map reveal’ , so in the auto assemble window ‘File’ and ‘Assign to current cheat table’. Enable the script you just added to the cheat table and skip a few turns in the game. The map will now reveal itself!
Disable the script and reload you’re saved game, the next part of this tutorial covers how to make a city reveal script.
In your newly loaded game press Ctrl+W to go into the worldbuilder tool, now use the reveal tile tool again. Locate the AI city while in the reveal tile mode and reveal the tile the city is on and search for byte value of 1 in Cheat Engine. Cover the city tile back up and next search for 0, uncover the city tile and next search for a value of 1 keep doing this until you have about 35 addresses. Add those 35 addresses to your cheat table.
Exit the world builder but make sure that the AI city is covered with blackness, check the addresses and make sure they are all set to 0 any that aren’t remove them, now start your way from the top of the address list and highlighting 5 at a time put a value of 1 into the memory addresses.Alt+Tab back into the game in between putting a value of 1 into the 5 memory addresses if the AI city doesn’t appear then put a value of 0 back into those memory addresses and remove them keep doing this process until u find the city visibility address.
My address is:
192716A2
Your address will be different as this game uses DMA
Just double-check you have the right address by putting a value of 1 into it alt tab to the game the AI city will show under the blackness and putting a value of 0 the AI city will disappear.
Select the address and use ‘Find out what accesses this address’, now skip a turn in the game.
It will break in the following places:
CvGameCoreDLL.dll+8693 - 8a 84 30 ca 02 00 00 - mov al,[eax+esi+000002ca]
Civilization4.exe+29CA2C - c1 e9 02 - shr ecx,02
The line we are interested in, is the first line CvGameCoreDLL.dll+8693 - 8a 84 30 ca 02 00 00 - mov al,[eax+esi+000002ca]
What we are going to do is rewrite this line to achieve the result we want, which are all cities to show to us.
Now open up the memory view and select ‘Tools’ ‘Auto Assemble’ or better yet open memory view and press Ctrl+A.
Copy paste below into your auto assemble window:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
CvGameCoreDLL.dll+8693:
mov al,01 //move 1 into al result is cities will show to us
nop //5 nops to balance out the gamecode and prevent a crash from happening
nop
nop
nop
nop
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
//original code below
CvGameCoreDLL.dll+8693:
mov al,[eax+esi+000002ca]
Here is the same script as above using AoB scan:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(city)
registersymbol(city)
aobscan(cityaob,8a 84 30 ca 02 00 00)
cityaob:
city:
jmp newmem
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
mov al,[eax+esi+000002ca]
mov al,01
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
city:
mov al,[eax+esi+000002ca]
//Alt: db 8A 84 30 CA 02 00 00
unregistersymbol(city)
Assign that to your cheat table and call it ‘city reveal ‘, so in the auto assemble window ‘File’ and ‘Assign to current cheat table’. Enable the script you just added to the cheat table and check that the AI city reveals when you enable the script and disappear when you disable the script.
Now onto the next part of the tutorial which is the paint units cheat.
Create a new hot seat game with these settings:
Map: Terra
Size: Duel
Climate: Temperate
Sealevel: Medium
Era: Ancient
Speed: Normal
Make sure there are only two players in this game which is you and one other human player.
Now activate your city reveal cheat and playing as both players build your first city and fortify you’re starting unit on the city, order a warrior for each player. Zoom out to the max or move the screen around using the minimap do this until you can see the enemy city with player 1, this is the direction your warrior will be heading towards. If you cannot see the enemy city with player 1 then keep restarting the hot seat game with the same settings until you can see the enemy city (once they’re built of course).
Right skip turns until both warriors are built now send them to the middle between both cities so the warriors can see each other (warriors are on tiles next to each other).Playing as player 1 search for byte value of 1 when you can see player 2’s warrior, move player 1’s warrior one tile away so it cannot see player 2’s warrior and next search for 0.Skip the turns until player 1 is in control again and move the warrior back to the original tile it was on so it can see player 2’s warrior again and next search for 1.Keep doing this until you get the addresses down to about 20 addresses.
Add those 20 odd addresses to the cheat table but delete any addresses that are like this 244CD4F4, so anything above 2xx basically.
Make sure player 1’s warrior cannot see player 2’s warrior so player 1 warrior is one tile away from player 2’s warrior. Now starting from the bottom 5 addresses at a time change the value to 1 alt tab to the game skip a turn and check if you can see player 2’s warrior. If you cannot see player 2’s warrior then put the value of those addresses back to 0 and remove them from the table keep doing this until you find the address which holds the visibility state of player 2’s warrior.
My address is:
1CF8EDEE
Yours will be different as this game uses DMA
When I put 1 into this address I can see player 2’s warrior and when I put 0 into this address the warrior will disappear.
Using that address you found right click and use ‘Find out what accesses this address’. Now skip a turn in the game also you will want to move player 1’s warrior so it can see player 2’s warrior and move it away so it cannot see player 2’s warrior.
It will break in these places:
CvGameCoreDLL.dll+E0BEE - 66 83 bc 46 28 01 00 00 00 - cmp word ptr [esi+eax*2+00000128],00
CvGameCoreDLL.dll+E39C2 - 66 83 bc 70 28 01 00 00 00 - cmp word ptr [eax+esi*2+00000128],00
CvGameCoreDLL.dll+E398E - 66 83 bc 77 28 01 00 00 00 - cmp word ptr [edi+esi*2+00000128],00
CvGameCoreDLL.dll+E951E - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E953E - 66 01 8c 7e 28 01 00 00 - add [esi+edi*2+00000128],cx
CvGameCoreDLL.dll+E955E - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E958B - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E4CAB - 66 83 bc 46 28 01 00 00 00 - cmp word ptr [esi+eax*2+00000128],00
CvGameCoreDLL.dll+E321A - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E3418 - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E1A22 - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
CvGameCoreDLL.dll+E1A9C - 66 83 bc 46 28 01 00 00 00 - cmp word ptr [esi+eax*2+00000128],00
The line we are interested in is the first line yet again, which is CvGameCoreDLL.dll+E0BEE - 66 83 bc 46 28 01 00 00 00 - cmp word ptr [esi+eax*2+00000128],00 open up memory view at this location and scroll up a bit until you see these lines:
CvGameCoreDLL.dll+E0BD0 - e8 bb f9 f5 ff - call cvgame::isdebugmode
CvGameCoreDLL.dll+E0BD5 - 84 c0 - test al,al
CvGameCoreDLL.dll+E0BD7 - 74 06 - je cvplot::isvisible+1f
CvGameCoreDLL.dll+E0BD9 - b0 01 - mov al,01
What we need to do here is nop out that jump so the game will always move 1 into al.
Now open up the memory view and select ‘Tools’ ‘Auto Assemble’ or better yet open memory view and press Ctrl+A
Copy paste below into your auto assemble window:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
CvGameCoreDLL.dll+E0BD7:
nop //nop out the jump
nop
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
CvGameCoreDLL.dll+E0BD7:
je cvplot::isvisible+1f //the jump we need to kill
Here is the same script as above using AoB scan:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(paint)
registersymbol(paint)
aobscan(paintaob,e8 bb f9 f5 ff 84 c0 74 06)
paintaob:
paint:
jmp newmem
nop
nop
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
call 01d30590
test al,al
nop
nop
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
paint:
call 01d30590
//Alt: db E8 BB F9 F5 FF
unregistersymbol(paint)
Assign that to your cheat table and call it ‘paint units ‘, so in the auto assemble window ‘File’ and ‘Assign to current cheat table’.
The next part of this tutorial will show you how to make unit flags visible.
Using the breakpoint list from above the one we are interested in this time is this:
CvGameCoreDLL.dll+E3418 - 66 83 bc 7e 28 01 00 00 00 - cmp word ptr [esi+edi*2+00000128],00
Open up that location in memory view within Cheat Engine. Look at the line just below it which is this:
CvGameCoreDLL.dll+E3421 - 7f 2a - jg cvplot::getsymboloffsetx+13d
What we need to do is make this so it jumps when it reaches this line of code.
Now open up the memory view and select ‘Tools’ ‘Auto Assemble’ or better yet open memory view and press Ctrl+A
Copy paste below into your auto assemble window:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
CvGameCoreDLL.dll+E3421:
jmp cvplot::getsymboloffsetx+13d //jump if greater becomes a forced jump
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
//original code below
CvGameCoreDLL.dll+E3421:
jg cvplot::getsymboloffsetx+13d //original code
Here is the same script as above using AoB scan:
[ENABLE]
//code from here to '[DISABLE]' will be used to enable the cheat
alloc(newmem,2048) //2kb should be enough
label(returnhere)
label(originalcode)
label(exit)
label(unit)
registersymbol(unit)
aobscan(unitaob,7f 2a 66 83 bc 7e 4e 01 00 00 00)
unitaob:
unit:
jmp newmem
nop
nop
nop
nop
nop
nop
returnhere:
newmem: //this is allocated memory, you have read,write,execute access
//place your code here
originalcode:
jmp cvplot::getsymboloffsetx+13d
cmp word ptr [esi+edi*2+0000014e],00
exit:
jmp returnhere
[DISABLE]
//code from here till the end of the code will be used to disable the cheat
dealloc(newmem)
unit:
jg cvplot::getsymboloffsetx+13d
cmp word ptr [esi+edi*2+0000014e],00
//Alt: db 7F 2A 66 83 BC 7E 4E 01 00 00 00
unregistersymbol(unit)
Assign that to your cheat table and call it ‘unit flags ‘, so in the auto assemble window ‘File’ and ‘Assign to current cheat table’.
Enable the unit flags script and skip a few turns or one turn in game you should now be able to see enemy unit flags, also enable the paint units script now notice it paints the units to your screen as well.
Right disable every script that was active and now load your saved single player ‘maphacktutorial’ game, enable every single script we have created so that would be ‘map reveal’, ‘city reveal’, ‘paint units’ and finally ‘unit flags’. Skip a turn after activating all four scripts the map will now reveal, show enemy cities, show the unit flags and units to the screen. Map hack walk through is now complete.
This can now be put into a trainer called whatever.exe
I will finish by saying you can also make enemy submarines visible to you as well.
Credits:
Dark Byte for making Cheat Engine
Maphack Tutorial For Civilization 4 V1.7.4 Patch
-
- Expert Cheater
- Posts: 86
- Joined: Wed Sep 06, 2023 8:07 pm
- Reputation: 23
Who is online
Users browsing this forum: No registered users